Not able to Put data/object into S3 bucket using Glue Job when KMS Encryption is enabled

0
votes

I have a Glue job which fetches data from one s3 bucket and transfer/Put it into another. My job is working properly if I disable KMS Encryption but not working with the KMS Encryption enabled.

Error: An error occurred while calling o79.pyWriteDynamicFrame. Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied)

I have added this policy also 

    {
          "Effect": "Allow",
          "Action": [
            "kms:Decrypt"
          ],
          "Resource": [
            "arn:aws:kms:region:account-name:key/kms-encryptionkey"
          ]
    }

Suggest how I can transfer data between s3 buckets using Glue with KMS Encryption Enabled.

2
amazon-web-servicesamazon-s3amazon-iamaws-glueaws-kms

2 Answers

3
votes

First, you have to check whether the KMS key policy allows access to the IAM role used by Glue since only IAM permission is not enough. You can also include the IAM role in the key policy and that'll be one approach.

If you want to give KMS permission via IAM policy, then add following API actions:

1> To PutObject and encrypt it, add "kms:GenerateDataKey" with key ID as a resource.

2> To GetObject (and decrypt it), "kms:Decrypt" (which you have)

0
votes

Enabling encryption in Glue job means that you want to write objects using KMS key so you have to allow "kms:Encrypt" action.

Action "kms:Decrypt" is needed if only your input data is SSE encrypted with KMS:

If you plan to access Amazon S3 sources and targets that are encrypted with SSE-KMS, then attach a policy that allows AWS Glue crawlers, jobs, and development endpoints to decrypt the data.